release: create releases for specified branches (#152)

* release: create releases for specified branches * release: split action into one for branches, one for tags * release: change the NIX_INSTALLER_BINARY_ROOT upon release This way, we can be sure we use the right binaries to match the script.
2023-01-09 08:28:39 -08:00 · 2023-01-09 08:28:39 -08:00 · d410728461
parent 844faa0d20
commit d410728461
2 changed files with 56 additions and 5 deletions
--- a/.github/workflows/release-branches.yml
+++ b/.github/workflows/release-branches.yml
@ -0,0 +1,49 @@
+name: Release Branch
+
+on:
+  push:
+    branches:
+      # NOTE: make sure any branches here are also valid directory names,
+      # otherwise creating the directory and uploading to s3 will fail
+      - 'main'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # In order to request a JWT for AWS auth
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Download Buildkite Artifacts
+        uses: EnricoMi/download-buildkite-artifact-action@v1.14
+        with:
+          buildkite_token: ${{ secrets.BUILDKITE_TOKEN }}
+          output_path: artifacts
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_S3_UPLOAD_ROLE }}
+          aws-region: us-east-2
+      - name: Publish Release (Branch)
+        run: |
+          sudo chown $USER: -R artifacts/
+
+          LATEST_BRANCH="latest_${{ github.ref_name }}"
+          mkdir "$LATEST_BRANCH"
+          mkdir "$GITHUB_SHA"
+
+          sed -i "s@https://install.determinate.systems/nix@https://install.determinate.systems/nix/rev/$GITHUB_SHA@" nix-installer.sh
+          cp nix-installer.sh "$GITHUB_SHA"/
+          cp nix-installer.sh "$LATEST_BRANCH"/
+
+          for artifact in $(find artifacts/ -type f); do
+            chmod +x "$artifact"
+            cp "$artifact" "$GITHUB_SHA"/
+            cp "$artifact" "$LATEST_BRANCH"/
+          done
+
+          # TODO: determine if these binaries have already been uploaded / are the exact same (try download and then hash if already exists as latest_*?)
+
+          aws s3 sync "$GITHUB_SHA"/ s3://${{ secrets.AWS_S3_UPLOAD_BUCKET }}/"$GITHUB_SHA"/ --acl public-read
+          aws s3 sync "$LATEST_BRANCH"/ s3://${{ secrets.AWS_S3_UPLOAD_BUCKET }}/"$LATEST_BRANCH"/ --acl public-read
--- a/.github/workflows/release-tags.yml
+++ b/.github/workflows/release-tags.yml
@ -1,7 +1,4 @@
-name: Release
-
-permissions:
-  contents: write
+name: Release Tags

 on:
  push:
@ -11,6 +8,8 @@ on:
 jobs:
  release:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write # In order to upload artifacts to GitHub releases
    steps:
      - name: Checkout
        uses: actions/checkout@v3
@ -19,7 +18,10 @@ jobs:
        with:
          buildkite_token: ${{ secrets.BUILDKITE_TOKEN }}
          output_path: artifacts
-      - name: Publish Release
+      - name: Fixup URL in nix-installer.sh
+        run: |
+          sed -i "s@https://install.determinate.systems/nix@https://install.determinate.systems/nix/tag/$GITHUB_REF_NAME@" nix-installer.sh
+      - name: Publish Release (Tag)
        uses: softprops/action-gh-release@v1
        with:
          fail_on_unmatched_files: true